For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Jan 07, 2015

Removing Poodle TLS padding vulnerability returns RC4 warning

Hi,

 

We are running F5 LTM version 11.2. Recently we disabled the RC4 weak CIPHER to remove the Minimal warning from our PCI scan.

 

But due to the recent arrival of Poodle TLS vulnarability we had to introduce RC4-SHA:!SSLv3 which brought back the Minimal warning for having RC4 in the acceptable CIPHER.

 

How can we over come this?

 

This was done via F5 support suggestion. (https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html)

 

Previous CIPHER: NATIVE:DHE+HIGH:!SSLv3:!NULL:!RC4:!MD5:!EXP:!LOW:!EXPORT:!DES:@SPEED New CIPHER to remove Poodle TLS: RC4-SHA:!SSLv3:!NULL:!MD5:!EXP:!LOW:!EXPORT:!DES:!DHE:!EDH:@SPEED:@STRENGTH

 

application delivery
LTM

2 Replies

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Jan 07, 2015

    Hi

     

    the F5 solution 15882 states "To mitigate this vulnerability, you can create a custom cipher string for the SSL profile that uses RC4 or AES-GCM ciphers"

     

    AES-GCM is not supported in pre 11.5.0 releases.

     

    I think here you should upgrade (11.2.1 HF13 is the closest to your release, with TLS poodle fixed)

     

    Alex

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jan 07, 2015

    Alex is correct, the solution for POODLE TLS and some other attacks is to enable only RC4. but on the other side RC4 is considered unsafe itself and will probably to publicly announced to be disabled at some time in future.

     

    so the best fix for POODLE TLS remains the hotfix version.